Cyber risks and the resulting impacts are at an unprecedented high, with the potential to cause significant monetary and reputational damage. Today, cybercriminals seek out high-value entities that are perceived to have insufficient cybersecurity controls — making family offices prime targets.

Individuals and families of significant wealth have similar cybersecurity challenges as large corporations, but rarely have the resources to adequately protect themselves. Traditionally, families have relied on banks to protect their information and funds. Yet as the use of and dependency on technology continues to expand, the threat of cybercrimes increases, making reliance solely on financial institutions insufficient.

Technology has become a part of everyday life’s fabric, and in many ways a necessity, as it helps family offices and their associated entities operate more efficiently. However, technology also exposes those who use it to evolving cybersecurity threats. In fact, the risk of such cyber threats is more a matter of when—not if—a tech-borne breach will occur.

Between 2010 and 2021, the U.S.-dollar value of reported cybercrimes went from $485.3 million to $4.2 billion, according to the Internet Crime Complaint Center, a resource of the FBI. That’s an increase of 765%. A family office has a multitude of responsibilities that spans well beyond traditional financial objectives; it typically does not have the expertise to navigate and protect against this evolving attack landscape. The tools and services family offices use are often accessible online from a variety of personal devices, opening ultra-high-net-worth clients to unwarranted intrusions, or worse.

To make the most of technologies, family offices should keep apprised of evolving cybersecurity threats, and employ best practices to prepare for possible scenarios or—ideally—plan for and have the ability to neutralize them before trouble starts. In short, they must undertake a more proactive approach toward protecting their sensitive information and their entities.

Managing technology risks in a family-office setting

Family offices may differ from one another in scope, purview, and legal structure, but they have shared characteristics. They’re typically operated for (and often by) a single (sometimes extended) family with at least $100 million in liquid assets. Beyond wealth management, most family offices help clients with a combination of hard-asset management, philanthropy, wealth planning, and insurance oversight. They may also provide or supervise personal and household administrative services, physical security, concierge, and other services as needed. Technology is an underpinning need within family office operations.

Although family offices are integral to the lives of those they serve, the technologies used can open their clients up to threats if not appropriately managed and protected. Bad actors with access to the technology family offices and their clients rely on can misuse access to digital mailboxes and information to—for example—facilitate physical security incidents, use purloined personal data to steal from finance-related accounts, initiate fraudulent payments to third-party vendors, or leak sensitive information that can impact reputations.

To balance the risks associated with and benefits of family-office technology, families should first work to understand their cyber risk profile. They can do this by asking themselves:

• Who has access to networks, systems, or passwords? When did we last review this, and is it appropriate based on individual roles?
• Are channels such as e-mail and document repositories secured?
• Who is monitoring the technology environment/services in use for suspicious activity or behavior? How will we know if there is a breach?
• Can my technology providers be trusted that they are leveraging security best practices and adequately protecting us?

Tailoring solutions to a family’s unique digital landscape

For better insight, let’s suppose a family office engages Geller Advisors for a security review. Our firm’s internal cyber capability has been built to be commensurate with a F500 company, protecting clients for decades. As a multi-family office with an enterprise-level security program, we bring a specialized approach when working with other family offices, families, foundations, and operating businesses – as we are acutely aware of their unique needs. Our cyber experts design and implement controls that are aligned with best practices and embed cyber-security into the management of the family offices’ (or foundation or business’) technology.  

In this hypothetical security assessment, we most frequently find that the following areas need attention:  

• Use security controls that ensure systems and services housing sensitive information assets are protected against unauthorized data disclosures
• Ensure systems and applications are running the most recent, stable version offered, as software providers regularly patch for known software vulnerabilities
• Ensure a secure sharing mechanism with recognized encryption standards is in place for sharing sensitive data with third parties
• Explore a mobile device management strategy that aligns to the organizations’ risk posture
• Implement multi-factor authentication for email and all critical systems and services
• Use password-management tools and policies to prevent account holders from reusing passwords, and ensure only authorized users have auditable access to accounts
• Develop a baseline for expected behavior and interaction with sensitive data, while leveraging technologies with external resources for monitoring against that baseline

To bolster these recommended practices, family offices should view their software and other technologies through the lens of proactive cybersecurity. Cybersecurity is not a strategy that should be implemented and forgotten. New vulnerabilities are constantly emerging and attackers are becoming more and more sophisticated. Security controls must to be viewed as dynamic controls—constantly managed and tweaked—to continue to protect organizations.

As both the reliance on technology and the complexity and frequency of threats facing family offices evolve, understanding the risks and mitigating controls associated with cybercrime, fraud, privacy violations, and technology risk requires a holistic approach. It is recommended that family offices take a multifaceted approach to privacy and security in order to understand their unique risks and better plan for the security of their family.

Jamie Herman, CCISO, CISSP, CISM, serves as Chief Information Security Officer and Head of Cyber Services at Geller Advisors. He has over 20 years of experience in implementing risk management, data privacy, and information security programs that focus on overseeing private client data protection, corporate governance, and risk management strategy. Jamie works with clients and company executives to help them understand and navigate privacy and technology risks specific to their families and associated entities. As a security leader, Jamie’s team leads efforts to build and sustain a strong and integrated risk culture in which staff and clients are educated on how to manage strategic, operational, and reputational risks. Prior to joining Geller Advisors, Jamie held several senior information security roles at multinational organizations, where he led innovative security initiatives including vulnerability management plans, security strategy development, and corporate policy designs. Additionally, he collaborated with a wide network of public and private industry information security experts to deliver forward-thinking security thought leadership. Jamie received a bachelor of science in computer and digital forensics from Champlain College, and is a frequent speaker on information security and risk management topics.

This communication has been prepared by Geller Advisors LLC (“Geller Advisors”) and is being provided for information purposes only and not intended as a thorough, in-depth analysis of specific issues. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained herein. This communication shall not be construed as an offer to sell or solicitation to buy a security or any other products or services from Geller Advisors or its affiliates.

Geller Advisors LLC is registered as an investment adviser with the U.S. Securities and Exchange Commission. Geller Advisors delivers multidisciplinary family office and wealth management services to individuals and families of significant wealth. Geller Advisors is a wholly owned subsidiary of Geller & Company. For more information about Geller Advisors go to www.gelleradvisors.com.

If you or a client would like to discuss any of this information further, please contact the author Jamie Herman at jherman@gellerco.com.